fix: [Bug]: Vulnerability found in moby (CVE-2026-34040) (closes #3614)

[deadanon]

Closes #3614

Summary: Testcontainers-go depends on github.com/moby/go-archive v0.2.0, github.com/moby/moby/api v1.54.1, and github.com/moby/moby/client v0.4.0, which are flagged by CVE-2026-34040 vulnerability scanners as containing a security vulnerability in moby packages.

Root cause: The root go.mod and all 65+ module go.mod files pin moby dependencies (go-archive v0.2.0, moby/api v1.54.1, moby/client v0.4.0) at versions affected by CVE-2026-34040. The go-archive package is directly used in container.go:256 for TarWithOptions when building Docker contexts, and moby/client is used throughout docker.go and other core files for Docker Engine API communication. No patched upstream release is currently available in the Go module proxy.

Approach: Bump all moby dependencies (go-archive, moby/api, moby/client, and any transitive moby/* packages) to patched versions once they are released upstream, then run go mod tidy across the root module and all 66 submodules. The project already has Dependabot configured for monthly go module updates and a Makefile tidy-all target to propagate changes. If the upstream fix is delayed, evaluate whether the vulnerable code path (archive tar handling in container.go or Docker client calls) can be mitigated with input validation or restricted usage.

Automated fix by BugBot

[netlify]

✅ Deploy Preview for testcontainers-go ready!

Name	Link
🔨 Latest commit	321cb88
🔍 Latest deploy log	https://app.netlify.com/projects/testcontainers-go/deploys/69dbf3079d2b3d0008b60aee
😎 Deploy Preview	https://deploy-preview-3648--testcontainers-go.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated Docker client and container runtime library dependencies to newer versions across all modules.

Walkthrough

Bumped three indirect Moby-related dependencies across 60 go.mod files: github.com/moby/go-archive (v0.2.0 → v0.2.1-pseudo), github.com/moby/moby/api (v1.54.1 → v1.54.2-pseudo), and github.com/moby/moby/client (v0.4.0 → v0.4.1-pseudo) to address a security vulnerability.

Changes

Cohort / File(s)	Summary
Root and Examples go.mod, examples/nginx/go.mod	Updated three Moby dependencies to newer pseudo-versions for security fix.
All Modules modules/*/go.mod (58 modules)	Updated indirect dependencies: github.com/moby/go-archive, github.com/moby/moby/api, and github.com/moby/moby/client to corresponding newer pseudo-versions across all module workspaces.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• chore(compose): update to compose-v5 #3568 — Updates the same Moby module dependencies in go.mod files.
• chore(deps): bump moby/client v0.4.0, moby/api v1.54.1 #3634 — Modifies dependency pins for the same Moby packages.
• fix(compose): update to docker compose v2.40.2 and use api.Compose interface #3456 — Updates Docker/Moby-related dependency versions in compose module.

Suggested labels

security, dependencies, bug

Suggested reviewers

• mdelapenya

Poem

🐰 Hopping through dependencies with glee,
Moby versions now secure, you see!
Pseudo-versions dance and sway,
Security patched the rabbit way! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly indicates the main change is addressing a CVE-2026-34040 vulnerability in moby dependencies and references the related issue #3614, which aligns with the changeset of updating moby module versions across all go.mod files.
Description check	✅ Passed	The description provides a comprehensive explanation of the vulnerability, its impact, root cause, and the approach taken to fix it by updating moby dependencies and running go mod tidy across all modules.
Linked Issues check	✅ Passed	The PR updates moby dependency versions (go-archive v0.2.0→v0.2.1-..., moby/api v1.54.1→v1.54.2-..., moby/client v0.4.0→v0.4.1-...) across all 66+ go.mod files as required by issue #3614, addressing CVE-2026-34040 vulnerability flags.
Out of Scope Changes check	✅ Passed	All changes are in-scope: only go.mod dependency version updates for moby packages affected by CVE-2026-34040. No unrelated code modifications, API changes, or functional logic alterations are present across the 66 modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

examples/nginx/go.mod (1)

39-41: Upgrade moby dependencies to versions that include the CVE-2026-34040 fix, or document the security acceptance.

The pinned pseudo-versions (github.com/moby/go-archive v0.2.1-0.20260403184245-..., github.com/moby/moby/api v1.54.2-0.20260407083204-..., and github.com/moby/moby/client v0.4.1-0.20260407083204-...) do not contain the upstream fix for CVE-2026-34040, which is in Moby 29.3.1+ daemon code. Go vulnerability scanners (Trivy, govulncheck) treat these versions as vulnerable until the api/client modules are released at or above versions containing the fix. Either upgrade to remediated versions or explicitly document why this security risk is accepted in your environment.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/nginx/go.mod` around lines 39 - 41, The pinned moby pseudo-versions
for github.com/moby/go-archive, github.com/moby/moby/api, and
github.com/moby/moby/client are treated as vulnerable for CVE-2026-34040; update
those module requirements to released versions that include the Moby 29.3.1+ fix
(or later) so scanners stop flagging them, or add an explicit security
acceptance note documenting risk and justification (e.g., in a SECURITY.md)
referencing these modules; edit the go.mod entries for
github.com/moby/go-archive, github.com/moby/moby/api, and
github.com/moby/moby/client to point to remediated semver tags or add a clear
documented exception.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@examples/nginx/go.mod`:
- Around line 39-41: The pinned moby pseudo-versions for
github.com/moby/go-archive, github.com/moby/moby/api, and
github.com/moby/moby/client are treated as vulnerable for CVE-2026-34040; update
those module requirements to released versions that include the Moby 29.3.1+ fix
(or later) so scanners stop flagging them, or add an explicit security
acceptance note documenting risk and justification (e.g., in a SECURITY.md)
referencing these modules; edit the go.mod entries for
github.com/moby/go-archive, github.com/moby/moby/api, and
github.com/moby/moby/client to point to remediated semver tags or add a clear
documented exception.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 03ef2e65-2d83-43fe-8f15-f9b6828de2f2

📥 Commits

Reviewing files that changed from the base of the PR and between c251392 and 321cb88.

⛔ Files ignored due to path filters (66)

• examples/nginx/go.sum is excluded by !**/*.sum
• go.sum is excluded by !**/*.sum
• modules/aerospike/go.sum is excluded by !**/*.sum
• modules/arangodb/go.sum is excluded by !**/*.sum
• modules/artemis/go.sum is excluded by !**/*.sum
• modules/azure/go.sum is excluded by !**/*.sum
• modules/azurite/go.sum is excluded by !**/*.sum
• modules/cassandra/go.sum is excluded by !**/*.sum
• modules/chroma/go.sum is excluded by !**/*.sum
• modules/clickhouse/go.sum is excluded by !**/*.sum
• modules/cockroachdb/go.sum is excluded by !**/*.sum
• modules/compose/go.sum is excluded by !**/*.sum
• modules/consul/go.sum is excluded by !**/*.sum
• modules/couchbase/go.sum is excluded by !**/*.sum
• modules/databend/go.sum is excluded by !**/*.sum
• modules/dind/go.sum is excluded by !**/*.sum
• modules/dockermcpgateway/go.sum is excluded by !**/*.sum
• modules/dockermodelrunner/go.sum is excluded by !**/*.sum
• modules/dolt/go.sum is excluded by !**/*.sum
• modules/dynamodb/go.sum is excluded by !**/*.sum
• modules/elasticsearch/go.sum is excluded by !**/*.sum
• modules/etcd/go.sum is excluded by !**/*.sum
• modules/forgejo/go.sum is excluded by !**/*.sum
• modules/gcloud/go.sum is excluded by !**/*.sum
• modules/grafana-lgtm/go.sum is excluded by !**/*.sum
• modules/inbucket/go.sum is excluded by !**/*.sum
• modules/influxdb/go.sum is excluded by !**/*.sum
• modules/k3s/go.sum is excluded by !**/*.sum
• modules/k6/go.sum is excluded by !**/*.sum
• modules/kafka/go.sum is excluded by !**/*.sum
• modules/localstack/go.sum is excluded by !**/*.sum
• modules/mariadb/go.sum is excluded by !**/*.sum
• modules/meilisearch/go.sum is excluded by !**/*.sum
• modules/memcached/go.sum is excluded by !**/*.sum
• modules/milvus/go.sum is excluded by !**/*.sum
• modules/minio/go.sum is excluded by !**/*.sum
• modules/mockserver/go.sum is excluded by !**/*.sum
• modules/mongodb/go.sum is excluded by !**/*.sum
• modules/mssql/go.sum is excluded by !**/*.sum
• modules/mysql/go.sum is excluded by !**/*.sum
• modules/nats/go.sum is excluded by !**/*.sum
• modules/nebulagraph/go.sum is excluded by !**/*.sum
• modules/neo4j/go.sum is excluded by !**/*.sum
• modules/ollama/go.sum is excluded by !**/*.sum
• modules/openfga/go.sum is excluded by !**/*.sum
• modules/openldap/go.sum is excluded by !**/*.sum
• modules/opensearch/go.sum is excluded by !**/*.sum
• modules/pinecone/go.sum is excluded by !**/*.sum
• modules/postgres/go.sum is excluded by !**/*.sum
• modules/pulsar/go.sum is excluded by !**/*.sum
• modules/qdrant/go.sum is excluded by !**/*.sum
• modules/rabbitmq/go.sum is excluded by !**/*.sum
• modules/redis/go.sum is excluded by !**/*.sum
• modules/redpanda/go.sum is excluded by !**/*.sum
• modules/registry/go.sum is excluded by !**/*.sum
• modules/scylladb/go.sum is excluded by !**/*.sum
• modules/socat/go.sum is excluded by !**/*.sum
• modules/solace/go.sum is excluded by !**/*.sum
• modules/surrealdb/go.sum is excluded by !**/*.sum
• modules/tidb/go.sum is excluded by !**/*.sum
• modules/toxiproxy/go.sum is excluded by !**/*.sum
• modules/valkey/go.sum is excluded by !**/*.sum
• modules/vault/go.sum is excluded by !**/*.sum
• modules/vearch/go.sum is excluded by !**/*.sum
• modules/weaviate/go.sum is excluded by !**/*.sum
• modules/yugabytedb/go.sum is excluded by !**/*.sum

📒 Files selected for processing (66)

• examples/nginx/go.mod
• go.mod
• modules/aerospike/go.mod
• modules/arangodb/go.mod
• modules/artemis/go.mod
• modules/azure/go.mod
• modules/azurite/go.mod
• modules/cassandra/go.mod
• modules/chroma/go.mod
• modules/clickhouse/go.mod
• modules/cockroachdb/go.mod
• modules/compose/go.mod
• modules/consul/go.mod
• modules/couchbase/go.mod
• modules/databend/go.mod
• modules/dind/go.mod
• modules/dockermcpgateway/go.mod
• modules/dockermodelrunner/go.mod
• modules/dolt/go.mod
• modules/dynamodb/go.mod
• modules/elasticsearch/go.mod
• modules/etcd/go.mod
• modules/forgejo/go.mod
• modules/gcloud/go.mod
• modules/grafana-lgtm/go.mod
• modules/inbucket/go.mod
• modules/influxdb/go.mod
• modules/k3s/go.mod
• modules/k6/go.mod
• modules/kafka/go.mod
• modules/localstack/go.mod
• modules/mariadb/go.mod
• modules/meilisearch/go.mod
• modules/memcached/go.mod
• modules/milvus/go.mod
• modules/minio/go.mod
• modules/mockserver/go.mod
• modules/mongodb/go.mod
• modules/mssql/go.mod
• modules/mysql/go.mod
• modules/nats/go.mod
• modules/nebulagraph/go.mod
• modules/neo4j/go.mod
• modules/ollama/go.mod
• modules/openfga/go.mod
• modules/openldap/go.mod
• modules/opensearch/go.mod
• modules/pinecone/go.mod
• modules/postgres/go.mod
• modules/pulsar/go.mod
• modules/qdrant/go.mod
• modules/rabbitmq/go.mod
• modules/redis/go.mod
• modules/redpanda/go.mod
• modules/registry/go.mod
• modules/scylladb/go.mod
• modules/socat/go.mod
• modules/solace/go.mod
• modules/surrealdb/go.mod
• modules/tidb/go.mod
• modules/toxiproxy/go.mod
• modules/valkey/go.mod
• modules/vault/go.mod
• modules/vearch/go.mod
• modules/weaviate/go.mod
• modules/yugabytedb/go.mod

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Find remaining vulnerable pins in all go.mod files =="
rg -n --glob '**/go.mod' \
  'github\.com/moby/go-archive v0\.2\.0|github\.com/moby/moby/api v1\.54\.1|github\.com/moby/moby/client v0\.4\.0' \
  || true

echo
echo "== Count modules already bumped to expected versions =="
rg -n --glob '**/go.mod' 'github\.com/moby/go-archive v0\.2\.1-0\.20260403184245-7cea6367da40' | wc -l
rg -n --glob '**/go.mod' 'github\.com/moby/moby/api v1\.54\.2-0\.20260407083204-daa0cb7f2359' | wc -l
rg -n --glob '**/go.mod' 'github\.com/moby/moby/client v0\.4\.1-0\.20260407083204-daa0cb7f2359' | wc -l

Repository: testcontainers/testcontainers-go

Length of output: 198

---

🌐 Web query:

`Check whether CVE-2026-34040 (or its GHSA/GO alias) marks these exact versions as fixed:

• github.com/moby/go-archive v0.2.1-0.20260403184245-7cea6367da40
• github.com/moby/moby/api v1.54.2-0.20260407083204-daa0cb7f2359
• github.com/moby/moby/client v0.4.1-0.20260407083204-daa0cb7f2359
  Please include the advisory page(s) and fixed-version ranges.`

💡 Result:

No, CVE-2026-34040 (GHSA-x744-4wpc-v9h2) does not mark the specified versions as fixed. The advisory and NVD state the vulnerability affects Moby/Docker Engine versions prior to 29.3.1, patched in 29.3.1. Fixed version range: >= 29.3.1. The queried versions are pseudo-versions from April 2026 (post-fix release on 2026-03-25), but the advisory does not explicitly list or reference these specific module versions (github.com/moby/go-archive v0.2.1-0.20260403184245-7cea6367da40, github.com/moby/moby/api v1.54.2-0.20260407083204-daa0cb7f2359, github.com/moby/moby/client v0.4.1-0.20260407083204-daa0cb7f2359) as fixed. Vulnerability is in the core Moby daemon (docker-v29.3.1), not explicitly tied to these submodules. Advisory pages: - GHSA-x744-4wpc-v9h2 (primary GHSA) - https://nvd.nist.gov/vuln/detail/CVE-2026-34040 - https://github.com/moby/moby/releases/tag/docker-v29.3.1 (release notes confirming fix)

Citations:

• 1: https://nvd.nist.gov/vuln/detail/CVE-2026-34040
• 2: https://nvd.nist.gov/vuln/detail/cve-2026-34040
• 3: GHSA-x744-4wpc-v9h2
• 4: https://osv.dev/vulnerability/GHSA-x744-4wpc-v9h2
• 5: GHSA-x744-4wpc-v9h2
• 6: v29.3.1 moby/moby#52229
• 7: https://newreleases.io/project/github/moby/moby/release/docker-v29.3.1

---

Confirm scanner recognition of pseudo-versions as fixed for CVE-2026-34040.

Verification confirms that vulnerable pins (v0.2.0, v1.54.1, v0.4.0) are completely removed across all 66 modules, and all dependencies have been uniformly bumped to the post-fix versions. The pseudo-versions are dated 2026-04-07, after the CVE fix release (docker-v29.3.1, 2026-03-25).

However, CVE-2026-34040 advisories do not explicitly enumerate these specific pseudo-versions as fixed. Please confirm that your scanning tool (OSV/advisory database) recognizes these post-fix pseudo-versions as patched, especially if your CI gates on strict version-match semantics.